US10142291B2 - System for providing DNS-based policies for devices - Google Patents

Abstract

A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of, and claims the priority benefit of, U.S. patent application Ser. No. 14/832,935 filed on Aug. 21, 2015 and entitled “System for Providing DNS-Based Control of Individual Devices,” which in turn is a continuation of, and claims the priority benefit of, U.S. patent application Ser. No. 14/745,183 filed on Jun. 19, 2015 and entitled “System for Providing DNS-Based Control of Individual Devices,” which are incorporated by reference in their entirety herein.

TECHNICAL FIELD

This disclosure relates generally to data processing, and more specifically to a system for providing DNS-based control of individual devices.

BACKGROUND

Groups of Internet users such as households and offices often have several individual computing devices (“individual devices”) attached to the Internet through a gateway. The individual devices may be a variety of types, such as personal computers, gaming devices, and tablets.

There is a need to exercise control over the users' devices for many purposes. One purpose is parental control, in which a household's parents regulate their children's Internet use. Another purpose is security, in which users are prevented from visiting sites or performing operations that are considered dangerous.

One type of existing device control technology has utilized device control software that runs on each individual device. Such technology has several disadvantages. It complicates the task of installing and configuring the device control software by distributing it over many devices. It requires a provider to provide, and a user to install, a different implementation of device control software for each type of device. It has the potential for a user to evade control entirely by disabling the device control software on the user's own device, or by gaining access to the Internet through a device on which device control software has not been installed.

Another type of existing device control technology has utilized software that runs on the gateway. Such software is often limited in function because the memory and computing power on a gateway device typically is limited.

Another type of existing device control technology has utilized software that runs on a server through which the gateway gains access to the Internet. Such software typically cannot distinguish among the individual devices that communicate through the gateway, and so it cannot apply different controls to individual devices.

There exists a need for device control technology that runs in a central location, cannot be evaded by users of individual devices, and can distinguish among devices in order to apply different controls individually.

SUMMARY OF THE DISCLOSURE

This summary is provided to introduce a selection of concepts in a simplified form that are further described in the Detailed Description below. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.

In a device control system designed according to the present disclosure, the gateway attaches a unique identifier to DNS messages originated by each individual device that is served by a gateway. The unique identifier may consist of a gateway identifier and a device identifier. The gateway identifier is fixed for each gateway. The unique identifier may be contained in pseudo-resource-records according to the EDNS0 standard.

The device identifier is easy for the gateway to obtain because the gateway has access to all of the headers and other control information in messages exchanged between the gateway and the individual devices under its control. Thus the software that needs to be added to the gateway to enable the device control system is simple and has a small footprint.

Device control is performed by a software module associated with the DNS server that responds to DNS messages forwarded by the gateway. In some embodiments of the device control software, the software module is associated with a memory device which holds a plurality of policies. The policies control the software module's treatment of the individual devices attached to the gateway. The policies may be configured by a person with authority over the individual devices, such as a parent or a system administrator, through an individual device that can communicate with the software module.

A device control system designed according to the present disclosure may be used to implement parental control over individual devices attached to a gateway in a household. It may also be used to provide security to the individual devices in a household, office, or other location. It may also be used to deliver messages to individual devices, to insert advertising content into the data stream delivered to individual devices, to track the locations of individual devices, and for other purposes.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments are illustrated by way of example, and not by limitation, in the figures of the accompanying drawings, in which like references indicate similar elements.

FIG. 1 shows a system for providing DNS-based control of individual devices and the structure of a DNS query employed by the system.

FIG. 2 shows the operation of a user interface to the system for providing DNS-based control of individual devices, by means of which a privileged user may exercise control over a policy that governs an individual device's access to content servers.

FIG. 3 shows a parental control application of the device control system in which a policy permits or blocks access to a site by an individual device.

FIG. 4 shows a subscriber security application of the device control system in which a policy protects devices from malicious sites on an individualized basis.

FIG. 5 shows an advertising delivery application of the device control system in which a policy causes advertising content to be delivered to an individual device.

FIG. 6 shows a messaging application of the device control system in which a policy causes a message to be delivered to an individual device.

FIG. 7 shows a mobile device tracking application of the device control system.

FIG. 8 shows a device control application of the device control system in which a policy causes the system to exercise a control function on an individual device or an application that runs on an individual device.

FIG. 9 shows an example of the device control system in which individual devices are classified into groups and policies are applied to groups.

FIG. 10 shows a content selection application of the device control system in which a policy causes a policy-sensitive content server to select content to be delivered to an individual device in response to a content request.

FIG. 11 shows the components of a system for providing DNS-based control of individual devices.

DETAILED DESCRIPTION

The following detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show illustrations in accordance with example embodiments. These example embodiments, which are also referred to herein as “examples,” are described in enough detail to enable those skilled in the art to practice the present subject matter. The embodiments can be combined, other embodiments can be utilized, or structural, logical, and electrical changes can be made without departing from the scope of what is claimed. The following detailed description is therefore not to be taken in a limiting sense, and the scope is defined by the appended claims and their equivalents. In this document, the terms “a” and “an” are used, as is common in patent documents, to include one or more than one. In this document, the term “or” is used to refer to a nonexclusive “or,” such that “A or B” includes “A but not B,” “but not A,” and “A and B,” unless otherwise indicated.

The present disclosure describes a device control system which exercises control over individual devices which communicate with the Internet through a gateway.

“Individual device” is used herein to refer to any computing device that is capable of communicating through the Internet and delivering communicated content to an individual user. An individual device may be a personal computer (PC), a smartphone, a gaming console, a tablet, or a phablet.

“Gateway” is used herein to refer to any connection point at the edge of a network through which at least one household, office, or other location connects at least one individual device to the Internet. A gateway may be fixed or mobile.

“Network control point” is used herein to refer to any network which connects a gateway to the associated individual devices. A local area network is an example of a network control point. A network control point is not necessarily constrained to operate in a fixed location or a limited physical locality.

“Wide area network” and “WAN” are used herein to refer to any network which connects at least one gateway to at least one server. The Internet is an example of a wide area network.

Referring now to the drawings,FIG. 1 illustrates adevice control system100 designed according to an embodiment of the device control system and a DNS record utilized by thedevice control system100. At least oneindividual device102 is connected through anetwork control point104 to agateway106. Thegateway106 is connected through awide area network108 to a dynamicpolicy enforcement engine110. The dynamicpolicy enforcement engine110 communicates with aDNS engine112 and with amemory device114 which holds a plurality ofpolicies116 which may apply to differentindividual devices102. The dynamicpolicy enforcement engine110, theDNS engine112, and thememory device114 may each run on a dedicated server, on a shared server, or in a computing cloud.

Anindividual device102 sends aDNS query118 to theDNS engine112 when it needs to resolve a domain name to an IP address. TheDNS query118 passes through thenetwork control point104, thegateway106, thewide area network108, and the dynamicpolicy enforcement engine110.

Aunique gateway identifier120 is assigned to eachgateway106 that communicates with the dynamicpolicy enforcement engine110. Thegateway identifier120 may be permanently assigned when thegateway106 is manufactured, or may be assigned dynamically when thegateway106 is recognized by the dynamicpolicy enforcement engine110. Thegateway identifier120 may include an identifier associated with thegateway106's location on thewide area network108, such as thegateway106's IP address.

Aunique device identifier122 is associated with eachindividual device102 that is associated with a givengateway106. Thedevice identifier122 may be permanently assigned when theindividual device102 is manufactured. Alternatively, thedevice identifier122 may be derived from a property of theindividual device102's location on thenetwork control point104, such as an internal IP address or a MAC address.

Theadditional data section124 may contain one ormore resource records126, some of which may be pseudo resource records (pseudo-RRs). Thegateway106 inserts into the additional data section124 a pseudo-RR128 whose pseudoresource record type130 is OPT, identifying it as an EDNS0 pseudo-RR. Thegateway106 inserts thegateway identifier120 and thedevice identifier122 into the pseudo-RR128, uniquely identifying theindividual device102 which originated theDNS query118.

When the dynamicpolicy enforcement engine110 receives theDNS query118, it extracts the pseudo-RR128 from theadditional data section124 and uses thegateway identifier120 anddevice identifier122 to select apolicy116 which applies to theindividual device102 which originated theDNS query118. The dynamicpolicy enforcement engine110 then processes theDNS query118 according to the selectedpolicy116. Depending on the contents of thepolicy118, the dynamicpolicy enforcement engine110 may pass theDNS query118 to theDNS engine112, pass a modified version of theDNS query118 to theDNS engine112, block theDNS query118 from theDNS engine112 and return its own response to theindividual device102, or block theDNS query118 from theDNS engine112 and return no response to theindividual device102. If the dynamicpolicy enforcement engine110 passes theoriginal DNS query118 or a modified DNS query to theDNS engine112, it may return theDNS engine112's response, return a modified version of theDNS engine112's response, block the response and send its own response, or block the response and send no response.

If the dynamicpolicy enforcement engine110 blocks theDNS query118, blocks theDNS engine112's response, or modifies theDNS query118 or theDNS engine112's response, it may prevent theindividual device102 from obtaining the IP address of asite132 which is the object of theDNS query118, effectively blocking theindividual device102 from access tocontent134 of thesite132.

In some embodiments, thedevice control system100 may deliver content to anindividual device102, as distinguished from directing theindividual device102 to content on other servers. In such embodiments, acommunication module136 affords access to content provided by thedevice control system100.

FIG. 2 shows anembodiment200 of the device control system in which policies that control the dynamic policy enforcement engine may be created and maintained. At least one privileged user202 uses anindividual device204 which is associated with agateway206. One or more non-privileged users208 may useindividual devices210 which are also associated with thegateway206. The privileged user202 communicates with a policy control user interface212. The policy control user interface212 may be implemented as an application on a web server operated by an Internet service provider (ISP)214. The policy control user interface212 may communicate with thegateway206, theISP214, or a dynamicpolicy enforcement engine216.

The policy control user interface212 may permit the privileged user202 to create and maintainpolicies218 that apply to users ofindividual devices204,210 associated with thegateway206, including the privileged user202 him or herself, other privileged users202, and non-privileged users208. Thepolicies218 are stored in amemory device220. The policy control user interface212 may create and maintain thepolicies218 by operating directly on thememory device220, or by communicating with the dynamicpolicy enforcement engine216 which operates on thememory device220.

In other embodiments the policy control user interface212 may include a gateway interface, an ISP interface, or a DNS interface, which respectively communicate with thegateway206, theISP214, or aDNS engine222. The policy control user interface212 may create and maintainpolicies218 by respectively setting one or more flags on the gateway interface, the ISP interface, or the DNS interface.

FIG. 3 shows anembodiment300 of the device control system which is adapted to parental control. One ormore children302 use one or more child'sdevices304 to communicate through agateway306 which is associated with a household308. Each DNS query from a child'sdevice304 to aDNS engine310 passes through a dynamicpolicy enforcement engine312, which selects apolicy314 which applies to that child'sdevice304 from amemory device316.

If the selectedpolicy314 indicates that the child'sdevice304's DNS query refers to anunblocked site318, the dynamicpolicy enforcement engine312 may pass the DNS query to theDNS engine310 and return theDNS engine310's response to the child'sdevice304. The child'sdevice304 may then request content from the unblockedsite318.

If the selectedpolicy314 indicates that the child'sdevice304's DNS query refers to a blockedsite320, the dynamicpolicy enforcement engine312 may take action which denies thechild302 access to the blockedsite320. For example, it may return a response to the DNS query which redirects the child'sdevice304 to a web page that contains a blocked site message322, or to an alternative site that is not blocked. Alternatively, it may block the DNS query from theDNS engine310 and send no response.

The dynamicpolicy enforcement engine312 may operate on responses from theDNS engine310 instead of or in addition to operating on DNS queries to theDNS engine310. For example, the dynamicpolicy enforcement engine312 may block responses that contain a certain IP address or an IP address in a certain range, instead of or in addition to blocking DNS queries that contain certain domain names.

Parental control is exercised by one ormore parents324 using parent'sdevices326 which communicate with a policy control user interface328. The policy control user interface328 creates and maintainspolicies314 for theparents324 and stores them in thememory device316.

FIG. 4 shows anembodiment400 of the device control system which is adapted to provide security to users. One ormore users402 use one or moreindividual devices404 to communicate through agateway406. Each DNS query from anindividual device404 to aDNS engine408 passes through a dynamic policy enforcement engine410, which selects apolicy412 which applies to thatindividual device404 from amemory device414. The dynamic policy enforcement engine410 uses thepolicy412 to determine whether asite416,418 that is the object of the DNS request is abenign site416 or a malicious site418. A malicious site418 may be characterized by content that includes malware, by phishing, or by executing attacks on users or on other sites.

If the selectedpolicy412 indicates that theindividual device404's DNS query refers to abenign site416, the dynamic policy enforcement engine410 may pass the DNS query to theDNS engine408 and return theDNS engine408's response to theindividual device404. Theindividual device404 may then request content from thebenign site416.

If the selectedpolicy412 indicates that theindividual device404's DNS query refers to a malicious site418, the dynamic policy enforcement engine410 may take action which denies theuser402 access to the malicious site418. For example, it may return a response to the DNS query which redirects theindividual device404 to a web page that contains a blockedsite message420, or to a benign alternative site. Alternatively, it may block the DNS query from theDNS engine408 and send no response.

The dynamic policy enforcement engine410 may operate on responses from theDNS engine408 instead of or in addition to operating on DNS queries to theDNS engine408. For example, the dynamic policy enforcement engine410 may block DNS responses that contain a certain IP address or an IP address in a certain range, instead of or in addition to blocking DNS queries that contain certain domain names.

Administrative control is exercised by one or moreadministrative users422 using administrative user'sdevices424 which communicate with a policy control user interface426. The policy control user interface426 creates and maintainspolicies412 for theadministrative users422 and stores them in thememory device414.

FIG. 5 shows anembodiment500 of the device control system which is adapted to deliver advertisement content to users. One ormore users502 use one or more individual devices504 to communicate through agateway506. Anadvertisement module508 receives a first DNS query from an individual device504 and selects anadvertisement510 from amemory device512, the selectedadvertisement510 to be delivered to the individual device504.

Theadvertisement module508 may return a DNS response to the individual device504 which causes the individual device504 to load theadvertisement510 from acommunication module514 instead of loading the page requested by the first DNS query. Thecommunication module514 retrieves theadvertisement510 from thememory device512 and returns it to the individual device504.

Theadvertisement510 may include a hyperlink or other control which theuser502 may select to load the page which the individual device504 requested in the first DNS query. When theuser502 selects the hyperlink or other control the individual device504 may send a second DNS query to theadvertisement module508. The second DNS query may contains a URL which theadvertisement module508 recognizes as a request originated by an advertising page as distinguished from a request originated by theuser502. Theadvertisement module508 accordingly passes a DNS query to aDNS engine516 and returns theDNS engine516's response to the individual device504. The DNS query which theadvertisement module508 passes to theDNS engine516 may be the first DNS query, or may be an equivalent of the first DNS query which theadvertisement module508 reconstructs from the second DNS query.

Theadvertisement module508's selection of theadvertisement510 may be based at least in part on historical user actions518. Historical user actions518 may include actions such as issuing DNS queries for particular types of content and indicating approval or disapproval ofadvertisements510 by selecting hyperlinks or other controls which may be included in theadvertisements510 for that purpose. Theadvertisement module508 may store historical user actions518 in ahistorical memory device520 and subsequently refer to them when selectingadvertisements510.

FIG. 6 shows anembodiment600 of the device control system which is adapted to deliver messages to users. One or more users602 use one or moreindividual devices604 to communicate through agateway606. Amessaging module608 receives a first DNS query from anindividual device604 and selects amessage610 from amemory device612, the selectedmessage610 to be delivered to theindividual device604. Themessages610 may be addressed to specific users602 ofindividual devices604.

Themessaging module608 returns a DNS response to theindividual device604 which causes theindividual device604 to load the selectedmessage610 from acommunication module614 instead of loading the page requested by the first DNS query. Thecommunication module614 retrieves the selectedmessage610 from thememory device612 and returns it to theindividual device604. The user602 may view the message via abrowser618 or via anapplication620 associated with theindividual device604.

Themessage610 may include a hyperlink or other control which the user602 may select to load the page which theindividual device604 requested in the first DNS query. The hyperlink or other control may cause theindividual device604 to send a second DNS query to themessaging module608. The second DNS query may contain a URL which themessaging module608 recognizes as a request originated by a message page as distinguished from a request originated by the user602. Themessaging module608 accordingly passes a DNS query to theDNS engine616 and returns theDNS engine616's response to theindividual device604. The DNS query which themessaging module608 passes to theDNS engine616 may be the first DNS query, or may be an equivalent of the first DNS query which themessaging module608 reconstructs from the second DNS query.

FIG. 7 shows anembodiment700 of the device control system which is adapted to track mobile devices. One or moremobile devices702 communicate through awireless network704 to agateway706. Thewireless network704 may consist of one or more WiFi connections between thegateway706 and the respectivemobile devices702. Thegateway706 may be a mobile device such as a mobile hotspot. Thegateway706 is connected through awide area network708 to a dynamicpolicy enforcement engine710. The dynamicpolicy enforcement engine710 communicates with aDNS engine712, and may also communicate with amemory device714 which holds a plurality ofpolicies716 which apply to differentmobile devices702.

Amobile device702 periodically reports itscoordinates718 to thegateway706. Thecoordinates718 may be obtained from GPS data.

Themobile device702 sends aDNS query720 to theDNS engine712 when it needs to resolve a domain name to an IP address. TheDNS query720 passes through thewireless network704, thegateway706, thewide area network708, and the dynamicpolicy enforcement engine710.

Aunique gateway identifier722 is assigned to eachgateway706 that communicates with the dynamicpolicy enforcement engine710. Thegateway identifier722 may be permanently assigned when thegateway706 is manufactured. Alternatively, thegateway identifier722 may be derived from a property of thegateway706's location on thewide area network708.

Aunique device identifier724 is associated with eachmobile device702 that is associated with thegateway706. Thedevice identifier724 may be permanently assigned when themobile device702 is manufactured. Alternatively, thedevice identifier724 may be derived from a property of themobile device702's location on thewireless network704.

EachDNS query720 transmitted over thewide area network708 by thegateway706 contains anadditional data section726. Thegateway706 inserts anadditional data section726 in eachDNS query720 if none is present in theDNS query720 received from themobile device702. Theadditional data section726 may contain one ormore resource records728, some of which may be pseudo resource records (pseudo-RRs). Thegateway706 inserts into the additional data section726 a pseudo-RR730 whose pseudoresource record type732 is OPT, identifying it as an EDNS0 pseudo-RR. Thegateway706 inserts thegateway identifier722 and thedevice identifier724 into the pseudo-RR730, uniquely identifying themobile device702 which originated theDNS query720. Thegateway706 further inserts themobile device702'scoordinates718 into the pseudo-RR730, identifying themobile device702's location.

When the dynamicpolicy enforcement engine710 receives theDNS query720 from thegateway706 it selects apolicy716 which applies to the originatingmobile device702 from thememory device714.

If the selectedpolicy716 indicates that themobile device702 is to be tracked, the dynamicpolicy enforcement engine710 extracts themobile device702'scoordinates718 from theDNS query720 and passes them to atracking module734, which stores them in atracking database736.

In another embodiment the dynamicpolicy enforcement engine710 determines whether and when to store tracking data without reference to apolicy716. This embodiment does not use amemory device714 orpolicies716.

FIG. 8 shows anembodiment800 of the device control system which provides control of individual devices and applications that run on individual devices. At least one privileged user802 uses anindividual device804 which is associated with agateway806. Additional non-privileged users808 may useindividual devices810 which are also associated with thegateway806. Theindividual devices804,810 may each run anoperating system812,814, and may each run one ormore applications816,818.

When anindividual device804,810 sends a DNS query to aDNS engine820, thegateway806 inserts a DNS0 pseudo-RR into the DNS query in the manner shown inFIG. 1 and explained in the description ofFIG. 1, thereby enabling a dynamicpolicy enforcement engine822 to identify theindividual device804,810 that originated the DNS query.

The privileged user802 communicates with a policy control user interface824. The policy control user interface824 may be implemented as an application on a web server operated by an Internet service provider (ISP)826. The policy control user interface824 can also communicate with the dynamicpolicy enforcement engine822.

The policy control user interface824 may permit the privileged user802 to create and maintainpolicies828 which apply to one or moreindividual devices804,810. Thepolicies828 are stored in amemory device830. The policy control user interface824 may create and maintain thepolicies828 by operating directly on thememory device830, or by communicating with the dynamicpolicy enforcement engine822 which operates on thememory device830.

The dynamicpolicy enforcement engine822 controls aspects of the operation of anindividual device804,810 by selecting thepolicy828 that applies to theindividual device804,810. Aspects of the operation of anindividual device804,810 which thepolicy828 may control include theoperating system812,814 of theindividual device804,810, and theapplications816,818 which run on theindividual device804,810. The dynamicpolicy enforcement engine822 may exercise control over theoperating system812,814 by sending requests to theoperating system812,814, by sending responses to requests made by theoperating system812,814, or both. The dynamicpolicy enforcement engine822 may exercise control over anapplication816,818 by sending requests to theapplication816,818 or to theoperating system812,814, or by sending responses to requests made by theapplication816,818 or by theoperating system812,814, or both. The dynamicpolicy enforcement engine822 may exercise control over theoperating system812,814 or theapplication816,818 at any time, including times when the selectedpolicy828 is created or modified, times when theindividual device804,810 is started, and times when specified events occur.

FIG. 9 shows anembodiment900 of the device control system which associates apolicy902 with adevice group904 rather than with anindividual device906,908. Eachdevice group904 contains one or moreindividual devices906,908. Anindividual device906,908, operated by auser910,912, communicates with aDNS engine914 through agateway916 and a dynamicpolicy enforcement engine918.

EachDNS query920 transmitted by thegateway916 contains anadditional data section922. Thegateway916 inserts anadditional data section922 in eachDNS query920 if none is present in theDNS query920 received from theindividual device906,908. Thegateway916 inserts apseudo-RR924 of type OPT into theadditional data section922. The pseudo-RR924 contains agateway identifier926 which identifies thegateway916 and adevice identifier928 which identifies thedevice group904 to which theindividual device906,908 belongs. The dynamicpolicy enforcement engine918 uses thegateway identifier926 and thedevice identifier928 to identify thedevice group904 to which theindividual device906,908 belongs. The dynamicpolicy enforcement engine918 selects apolicy902 that applies to thedevice group904 from amemory device930.

FIG. 10 shows anembodiment1000 of the device control system which delivers individualized content to individual devices. One ormore users1002,1004 use one or moreindividual devices1006,1008 to communicate through agateway1010. Each DNS query from anindividual device1006,1008 to aDNS engine1012 passes through thegateway1010 and acontent module1014.

When anindividual device1006,1008 sends the content module1014 a DNS query that refers to policy-sensitive content, thecontent module1014 selects apolicy1016 which applies to theindividual device1006,1008 from amemory device1018. The selectedpolicy1016 may determine what content acommunication module1020 should present to theindividual device1006,1008. Thecontent module1014 sends a DNS response to theindividual device1006,1008 which identifies the content that thecommunication module1020 should present. Theindividual device1006,1008 accordingly requests the content from thecommunication module1020, and thecommunication module1020 presents the content.

In some embodiments thecontent module1014 may forward a DNS query that refers to policy-sensitive content to theDNS engine1012 and modify theDNS engine1012's response according to the selectedpolicy1016.

In some embodiments the DNS response which thecontent module1014 returns to theindividual device1006,1008 may identify the selectedpolicy1016. Thecommunication module1020 may then retrieve the selectedpolicy1016 from thememory device1018 and use it to determine what content to present to theindividual device1006,1008.

FIG. 11 shows the components of asystem1100 which implements the server side elements of a device control system. Thesystem1100 comprises one ormore processors1102,main memory1104,static memory1106, adisk drive unit1108, and anetwork interface device1110, all of which are communicably attached to abus1112. The bus may be any type of hardware or software which enables the attached components of thesystem1100 to communicate with each other, such as a local area network or a wide area network.

Theprocessors1102 perform the functions of thesystem1100 by executinginstructions1114 from themain memory1104, theinstructions1114 being fetched into themain memory1104 from a computer readable medium1116 in thedisk drive unit1108.

Thenetwork interface device1110 is attached to awide area network1118 through which thesystem1100 can communicate with gateways and individual devices.

Many modifications and other embodiments of the example descriptions set forth herein to which these descriptions pertain will come to mind having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Thus, it will be appreciated that the disclosure may be embodied in many forms and should not be limited to the example embodiments described above.

Therefore, it is to be understood that the disclosure is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for the purposes of limitation.

Claims (20)

The invention claimed is:

1. A system for providing DNS-based policies for devices, the system comprising:

a DNS engine operable to receive a DNS query from an individual device via a gateway associated with the individual device, the DNS query including at least one of: (i) a unique gateway identifier associated with the gateway and (ii) a unique device identifier associated with the individual device;

a memory device operable to store at least one policy, the at least one policy corresponding to at least one of the unique gateway identifier and the unique device identifier; and

a dynamic policy enforcement engine extracting from the DNS query the at least one of the unique gateway identifier and the unique device identifier, the dynamic policy enforcement engine operable to enforce the at least one policy when processing the DNS query by using the unique gateway identifier and the unique device identifier to select the at least one policy which applies to the individual device which originated the DNS query;

the at least one policy including DNS-based tracking of the individual device, the dynamic policy enforcement engine extracting location information for the individual device from the DNS query; and,

a tracking module operable to store the location information of the individual device.

2. The system ofclaim 1, wherein the at least one policy includes blocking content and redirecting the DNS query.

3. The system ofclaim 1, further comprising a DNS-based communication module operable to deliver a DNS response to the individual device based on the at least one policy, the individual device loading at least one message based on the DNS response.

4. The system ofclaim 1, wherein the DNS engine is deployed within a cloud-based environment.

5. The system ofclaim 1, wherein the unique gateway identifier is permanently assigned to the gateway.

6. The system ofclaim 1, wherein the unique gateway identifier includes an Internet Protocol (IP) address associated with the gateway.

7. The system ofclaim 1, wherein the unique device identifier is permanently assigned to the individual device.

8. The system ofclaim 1, wherein the unique device identifier includes at least one of a mac address, a host name, a network control point IP address, a group tag, and a hash of the mac address.

9. The system ofclaim 1, wherein the unique device identifier is further associated with a group of devices to which the individual device belongs, the dynamic policy enforcement engine being operable to enforce the at least one policy to content delivered to each device of the group of devices.

10. The system ofclaim 1, further comprising a policy control user interface, the policy control user interface being operable to modify the at least one policy.

11. The system ofclaim 10, wherein the policy control user interface includes a gateway interface which communicates with the gateway, the at least one policy modified by setting one or more flags on the gateway interface.

12. The system ofclaim 10, wherein the policy control user interface includes an Internet service provider interface which communicates with an Internet service provider, the at least one policy modified by setting one or more flags on the Internet service provider interface.

13. The system ofclaim 10, wherein the policy control user interface includes a DNS interface which communicates with the DNS engine, the at least one policy modified by setting one or more flags on the DNS interface.

14. A method for providing DNS-based policies for devices, the method comprising:

with a DNS engine, receiving a DNS query from an individual device via a gateway associated with the individual device, the DNS query including at least one of: (i) a unique gateway identifier associated with the gateway and (ii) the unique device identifier associated with the individual device;

retrieving from a memory device operable to store at least one policy, the at least one policy corresponding to the at least one of the unique gateway identifier and the unique device identifier; and

selecting, with a dynamic policy enforcement engine operable and based on the at least one of the unique gateway identifier and the unique device identifier, the at least one policy which applies to the DNS query, and enforcing the at least one policy;

the at least one policy including DNS-based tracking of the individual device, the dynamic policy enforcement engine extracting location information for the individual device from the DNS query; and,

storing the location information of the individual device.

15. The method ofclaim 14, wherein the at least one policy includes redirecting the DNS query.

16. The method ofclaim 14, wherein the unique gateway identifier includes an Internet Protocol (IP) address associated with the gateway.

17. The method ofclaim 14, wherein the unique device identifier includes at least one of a mac address, a host name, a network control point IP address, a group tag, and a hash of the mac address.

18. The method ofclaim 14, further comprising, with an advertisement module, delivering a DNS response to the individual device based on the at least one policy.

19. A system for providing DNS-based advertisements for devices, the system comprising:

a DNS engine operable to receive a DNS query from an individual device via a gateway associated with the individual device, the DNS query including at least one of: (i) a unique gateway identifier associated with the gateway and (ii) a unique device identifier associated with the individual device;

a memory device operable to store at least one advertisement;

a dynamic policy enforcement engine extracting from the DNS query the at least one of the unique gateway identifier and the unique device identifier, the dynamic policy enforcement engine operable to enforce the at least one policy when processing the DNS query by using the unique gateway identifier and the unique device identifier to select the at least one policy which applies to the individual device which originated the DNS query;

an advertisement module operable to trigger, via a DNS response returned to the individual device, delivery of the at least one advertisement based on the at least one policy; and

a communication module operable to provide the at least one advertisement to the individual device via the gateway

the at least one policy including DNS-based tracking of the individual device, the dynamic policy enforcement engine extracting location information for the individual device from the DNS query; and,

a tracking module operable to store the location information of the individual device.

20. The system ofclaim 19, wherein the advertisement module delivers the at least one advertisement based on historical user actions.

Images